Protecting e-commerce assets is not an option but a necessity it commerce is to grow strong. The electronic world will always have to deal with viruses, worms, Trojan horses, eavesdroppers and destructive programs whose goals are to disrupt, delay or deny communications and information flow between consumers and producers. Billions of dollars are at stake, and security protection must continually be developed to provide consumers with confidence in the online systems with which they interact and through which they conduct business.
Thus, any organization concerned about protecting in e-commerce assets should have protecting policy in place.
A security policy is a written statement describing:
- Which assets to protect and why they are being protected?
- Who is responsible for that protection?
- Which behaviors are acceptable and which are not?
The security policy primarily addresses physical security, network security, access authorization, virus protection and disaster recovery. The security policy is a living written document which is reviewed and updated at regular intervals.
In order to ensure the minimum level of acceptable security for most e-commerce operations, a comprehensive security policy should fulfill some basic requirements, which are following:-
- Secrecy: It refers to preventing unauthorized persons from reading messages and business plans, obtaining credit card numbers or deriving other confidential information.
- Integrity: It refers to ensuring that a communication received has not been altered or tampered with. For this enclose information in a digital envelope so that the computer can automatically detect messages that have been altered in transit.
- Availability: It refers to ensuring access to a resource. It provides delivery assurance for each message segment so that messages or message segment cannot be lost undetectably.
- Key management: It provides secure distribution and management of keys needed to provide secure communication.
- Non-repudiation: It refers to ensuring that none of the parties involved can deny an operation at a later date. It provides end to end proof of each message’s origin and recipient.
- Authentication: It securely identifies clients and servers with digital signatures and certificates.
Thus organizations must protect assets from unauthorized disclosure, modification or destruction.